Looks good. I would just add that with Auth-proxy you can use the "list" part of the command to control what traffic you want to force to be authorized.
Be aware of Consent Proxy as well and how to do auth-proxy using the ip auth-proxy and "ip admission auth-proxy" command structure. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Richard Chan Sent: Friday, April 15, 2011 10:33 PM To: CCIE Security Maillist Subject: [OSL | CCIE_Security] ASA CTP vs IOS auth-proxy Hi all, Can I confirm my understanding of CTP / Auth Proxy via your collective wisdom? 1. IOS Auth Proxy: the interface ACL can block all flows even HTTP/Telnet that overlap the auth proxy list. I.e., deny ip any any works Auth Proxy. The auth proxy list takes precedence: redirects the incoming flow (even if denied by the interface ACL) to the AAA process. A downloaded ACL can add permits to the the interface ACL. 2. ASA CTP is different: the interface ACL must allow the aaa authentication match ACL. After AAA, the downloaded ACL can add more permits to the interface ACL but must be a superset of the match ACL. Any bugs in this understanding? Regards Richard
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
